Open Source Security
This has been touched on in other threads that I searched but I'd like to hear more discussion. I programmer recently told me they never use open source because it's less secure, and my reading says it's an ongoing debate about which is more secure - open source or commercial. What is everyone's opinion?
Is it safe to use an open source package for part of a site but commercial software for more sensitive areas such as payment gateways? How does something like Zen cart fit into that. Could you use Zen but with a commercial gateway for example? What about phpbb and many of the other open source projects? Any open source mailing programmes safe or is it better to go for the paid ones?
I guess all this means I have to pick up my knowledge of php to be able to modify open source packages if i use them.
What are your opinions?
Blue
Abhishek Reddy posted this at 14:18 — 1st September 2006.
He has: 3,348 posts
Joined: Jul 2001
There is no such distinction. Lots of free, libre and open source software is commercial, and vice versa. You could pay for free software, or you could receive non-free software at no monetary cost. Free software is about freedom, not price.
If you're asking about the security of free vs non-free software, then consider the success of Apache, Firefox, OpenSSH, GnuPG, and BSD compared with IE, IIS, Windows, etc. There is no reason to think that non-free software is inherently more secure.
Indeed, some people think that an open development model is more conducive of secure software, because any number of people can review code and fix bugs. Secure design, development and usage practices are customary in the free software world anyway, so the architecture of systems tends to be robust and easy to harden.
Of course, this isn't always the case. Some non-free software is implemented well, just as some free software is implemented poorly. The point is that generalisations like the one your programmer made are useless. Regardless what software you choose, you should audit them before having confidence in their security.
Todmeister posted this at 02:17 — 2nd September 2006.
He has: 19 posts
Joined: Aug 2006
SugarCRM & oscommerce.com, PHP is only as good as the community surrounding it!
A good community will have hundreds if not thousands of coders working & contributing to
the open source software for patches & customizations, as where off the shelf dictates when
& where security patchs come out & customizations are out of the question!
[URL=http://webpages.charter.net/todmister ]View My Webpage[/URL]
demonhale posted this at 03:50 — 2nd September 2006.
He has: 3,278 posts
Joined: May 2005
Good thing about OS software is that updates and security patches are more frequently released, thus newer holes and bugs get fixed quickly until its rock solid. The success of OS software are the team and support behind it... So Its also surmise to say that OS software can sometimes be more Secure...
photoshop250 posted this at 04:46 — 2nd September 2006.
They have: 37 posts
Joined: Aug 2006
I think that non free software is less secure......look at windows. I think this is because the companies that create such programs are more worried about the bottom line and if they have to take a few short cuts then so be it. Free and open source software on the other hand is created by people for the fun and passion of doing it and they will try their best to make it secure within their abilities
Abhishek Reddy posted this at 06:38 — 2nd September 2006.
He has: 3,348 posts
Joined: Jul 2001
I partially agree with that. I would restate it as: when free software is more secure, it is often because of ..., rather than free software is always more secure because of ....
Solaris/SunOS is possibly a good example of non-free software being more secure (than some variants of GNU, out of the box).
It's difficult to generalise.
Shirthead posted this at 10:52 — 2nd September 2006.
He has: 58 posts
Joined: Jun 2006
In my personal experience I've had more security issues with paid software than opensource. How representative that is I don't know, but I certainly would not be put off something because it is open source and because that could mean more security issues - that logic is just flawed (and usually used by people getting commission off paid solutions!).
However a piece of software is produced I would look at it on it's own merits before using it. Whether it was open or closed source would not factor in to the question about security other than so far as as if a hole is discovered in an OS solution you can always close it yourself.
Shirthead : Cool T-shirts with a geeky bent
Abhishek Reddy posted this at 11:17 — 2nd September 2006.
He has: 3,348 posts
Joined: Jul 2001
This is an invalid distinction, please refer to my first post in this thread.
Shirthead posted this at 11:23 — 2nd September 2006.
He has: 58 posts
Joined: Jun 2006
True - I did correct it later in the post though.
Blue posted this at 22:33 — 2nd September 2006.
They have: 112 posts
Joined: Aug 2001
Very helpful responses, thankyou. The general consensus seems to be that the individual software package is more important than whether it's free. So the next question is how does one evaluate a program. Are there any sites that monitor or evaluate the relative security of different software?
Blue
Busy posted this at 10:23 — 3rd September 2006.
He has: 6,151 posts
Joined: May 2001
There are a lot of sites around that do list security bugs/issues with opensource programs (after the contact the owner/developer), do a search for xxxx bugs (xxxx being the program name) or xxxx security
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.